preauth mechanism functioning at the client-side

Tim Alsop Tim.Alsop at CyberSafe.Com
Mon Aug 13 13:43:40 EDT 2007


You may remember that I replied to your last email, showing you the
output from our software, which already supports RSA SecurID, VASCO
Digipass and Secure Computing SafeWord tokens. To implement this we have
support in our client software to handle hardware authentication
pre-auth type. This is so that the client can ask the user for the
information from the token + pin (if applicable). Without any client
code changes the client is only aware of how to ask for a principal name
and password.

Also, when you select a pre-auth type, please check the RFCs in case of
a conflict with other pre-auth types that are known. 


-----Original Message-----
From: krbdev-bounces at [mailto:krbdev-bounces at] On Behalf
Of Gopal Paliwal
Sent: 13 August 2007 18:23
To: krbdev at
Subject: preauth mechanism functioning at the client-side


I am implementing a OTP support mechanism in existing kerberos 1.6.1.
Till now, i have done the server changes and the AS_REP contains one
required timestamp as OTP one. I wish to know, will the existing client
able to send 2 preauth sequences (one is pa_enc_timestamp) and the other
is my declared preauth-using OTP.
Or the client just sends any-one of the asked preauth type.

I see that the server would able to support more than one preauth-type
by the client by making it verify each preauth type in a loop but i am
sure about how the client behaves in sending multi-preauth types.

I debugged the client code and I could make out that the client gets my
created preauth mechanism as hint but still it selects enc_time-stamp as
default one to reply back. The number I chose for my preauth type is 32.

-Gopal Paliwal
krbdev mailing list             krbdev at

More information about the krbdev mailing list